📄 j2ssh-clientserver-part-one.htm
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>
<body>
<h2><font face="Times New Roman, Times, serif"> <font face="Verdana, Arial, Helvetica, sans-serif">Part 1 </font></font> <font face="Verdana, Arial, Helvetica, sans-serif">- Securing your client-server application
with J2SSH</font>
</h2>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Using J2SSH is
a great way to secure and enhance your insecure client-server application (or
improve an SSL based one). Now it certainly would be a great idea at this point
to spend some time evaluating the different methods of securing an applications
communication, I could waste pages explaining about SSL or teaching you how
to write your proprietary encryption process, but that's not why were here is
it? And it's certainly not why I am here! You're here because you know SSH,
you use it everyday to access every other computer your work on, or at least
you should! You're here because SSH provides strong encryption, integrity checking
and public key authentication of both the client and the server; the thing is
you want your client-server application to provide that too, so that's what
were going to do today. </font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">This tutorial assumes
you have a working knowledge of SSH clients and servers. Most importantly you
should understand the concept of SSH port forwarding. In this series of articles
we will discuss two ways to secure your client-server application</font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><em><strong>1.
Secure existing applications by channelling the TCPIP data through a secure
tunnel to an SSH server installed on the same machine as your application server</strong></em></font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">You may have already
used standard SSH port forwarding to setup a secure tunnel to transport your
connection, but maintaining both the SSH client and SSH server in addition to
your own client and server is not a realistic proposition. </font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">The quickest way
to secure your application with J2SSH is to use this very process, but instead
of maintaining an SSH client, you can use J2SSH directly within your client
code.</font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><em><strong>2.
Build an SSH server to provide your applications services.</strong></em></font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">J2SSH comes with
a set of daemon classes that enable the creation of a custom SSH server in no
time! The SSH server itself is already preconfigured to accept connections so
the main framework is already available. Your responsibility firstly will be
to develop an authentication provider to plug into your existing applications
authentication mechanism, and secondly to provide a channel implementation that
replaces your applications socket communication. There are of course a few more
details but it could not be much simpler! </font></p>
<!--pagebreak-->
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><br>
<font size="4" face="Times New Roman, Times, serif">Securing existing applications by
channelling TCPIP data through a secure tunnel</font></font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">This method essentially
forwards your client-server communication through a secure tunnel just as if
you had setup standard port forwarding between your client host and the server.
The difference is that J2SSH does not require the installation of an SSH client,
instead it allows your client application to connect to the SSH server directly
and instruct the server where to forward the data to thus removing the configuration
nightmare of using port forwarding. </font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong><em>Setup
an SSH server on the same host as your application server</em></strong></font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">First thing we
need to do is to install an SSH server on the same host as your application
server. That's up to you I'm afraid, we cannot help you out there. Once you
have the server installed create an account on the host for your client application,
J2SSH will need to authenticate to the SSH server, so it's a good idea to have
an account for the application, and since we don't want to be putting passwords
into the code we will also want a private key without a passphrase.</font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Configure your
applications account with the public key and test the connection; you should
be able to connect without any prompting. Finally, setup your application server
to listen on the local loopback address. This will ensure that clients cannot
connect directly.</font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong><em>Replace
your existing client socket connection with an SSH connection using J2SSH</em></strong></font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Now that we have
a server installed, a private key for your application to authenticate with
and your application server running, we can now turn to the client code changes.
We need to replace your existing connection code with the following process</font></p>
<ol>
<li><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Create a connection
to the SSH server</font></li>
<li><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> Authenticate
using the client applications public key</font></li>
<li><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> Create a tunnel
to your application server</font></li>
<li><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> Start your
own communication using the tunnel's IO streams</font></li>
</ol>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><br>
Creating the connection is straight forward, you will obviously need to take
into account integrating this code into your own client but the connection procedure
is as follows</font></p>
<code>
<blockquote>import com.sshtools.j2ssh.SshClient;<br><br>
public SshClient createConnection() { <br>
<blockquote>// Make a client connection SshClient <br>
ssh = new SshClient(); <br>
// Connect to the host <br>
ssh.connect("your-applications-host"); </blockquote>
} </blockquote>
</code>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">
If you run the above code you will notice that the user is prompted in the console
to verify the host key of the server. Its probably going to be a good idea to
override this default behaviour since not everyone will see the console output.
There are a couple of methods available, you could use a different HostKeyVerification
implementation, for example the DialogHostKeyVerification will prompt the user
using a dialog, and there is also IgnoreHostKeyVerification which simply ignores
the process. For now we will use this, since were sure that the server is correct,
however when you deploy your client to production environments its wise to replace
this with either the dialog verification or your own custom implementation.
</font></p>
<p></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Lets import the
new verification process</font></p>
<blockquote><code>import com.sshtools.j2ssh.transport.IgnoreHostKeyVerification;</code></blockquote>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">
and change the connect call</font></p>
<blockquote><code>ssh.connect("your-applications-host", new IgnoreHostKeyVerification());</code></blockquote>
<!--pagebreak-->
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> Now we can connect
to the SSH server, and the next step is to authenticate using our newly generated
private key. First we need to open the private key file, this can be done with
the following code.</font></p>
<blockquote><code>import com.sshtools.j2ssh.transport.authentication.SshPrivateKeyFile;<br>
<br>
....<br>
<br>
// Open up the private key file<br>
SshPrivateKeyFile file =<br>
SshPrivateKeyFile.parse(new File("filename"));</code></blockquote>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><br>
This provides us with a copy of the file in memory, since we don't have a passphrase
on the key we can simply add the key to a new instance of the PublicKeyAuthenticationClient
which we are going to use to authenticate with.</font></p>
<blockquote><code>import com.sshtools.j2ssh.authentication.PublicKeyAuthenticationClient;<br>
<br>
.....<br>
<br>
PublicKeyAuthenticationClient
pk = new PublicKeyAuthenticationClient();<br>
Pk.setUsername("username");<br>
Pk.setKey(file.toPrivateKey(null));</code></blockquote>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Now that the key
is loaded into the authentication instance, we can authenticate.</font></p>
<blockquote><code>if(ssh.autenticate(pk)==
AuthenticationProtocolState.COMPLETED) {<br>
<blockquote>// Authentication Complete</blockquote>
}</code></blockquote>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">Now that we have
successfully authenticated, were ready to create the secure tunnel for your
application. To do this we are going to create a local forwarding channel, local
forwarding is initiated by the client where by remote forwarding is initiated
by the server. This forwarding channel will provide a set of IO streams for
your client application to use in place of the Sockets IO streams. </font></p>
<blockquote><code>import com.sshtools.j2ssh.forwarding.ForwardingIOChannel;<br>
<br>
.....<br>
<br>
ForwardingIOChannel channel = new ForwardingIOChannel(
<blockquote> ForwardingIOChannel.LOCAL_FORWARDING_CHANNEL, <br>
"127.0.0.1",<br>
10022,<br>
"myhost",<br>
10022); </blockquote>
</code></blockquote>
<p></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">We now have a channel
ready so lets waste no more time and open it</font></p>
<blockquote><code>if(ssh.openChannel(channel))
{
<blockquote>// Channel is opened and can be used<br>
channel.getOutputStream("START".getBytes());<br>
....</blockquote>
}</code></blockquote>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"> Once the channel
is open, you can use its IO streams in place of your Socket, your application
should not require any changes.</font></p>
<!--pagebreak-->
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong><em>The
advantages and disadvantages of using a secure tunnel</em></strong></font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">The main advantage
of this method is that it's a quick fix for an insecure application. By forwarding
the traffic through an embedded SSH tunnel your application's data is now secure.
However, your server has no access to the strong authentication that the SSH
server provides and you still need to maintain a separate SSH server and authentication
details for your client application. Of course these can be minimized by embedding
a private key into your client application but that in itself a potential
security flaw. What you need is to have your server support SSH connections
directly. </font></p>
<p><font size="2" face="Verdana, Arial, Helvetica, sans-serif">In the next part
of this series, I will show you how to build your own SSH server using the J2SSH
daemon classes. Be prepared though as its not something you're going to be able
to plug-in to your existing server, instead we will build an SSH server capable
of supporting your applications proprietary protocol.<br>
</font><font face="Verdana, Arial, Helvetica, sans-serif"> </font> </p>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -